Privacy Req 6

From IDESG Wiki
Jump to: navigation, search

<< Back to Baseline Functional Requirements Index

PRIVACY-6. USAGE NOTICE

Entities MUST provide concise, meaningful, and timely communication to USERS describing how they collect, generate, use, transmit, and store personal information.

SUPPLEMENTAL GUIDANCE

Regarding "personal information", see Appendix A, and PRIVACY-1 (DATA MINIMIZATION).

The goal of notice is to work toward informed consent from USERS: functional requirements should work toward strategies for improving USERS' understanding of their choices when engaging with services. Strategies include layered approaches, just-in-time notice, and other examples that can illustrate effective types of notice mechanism alternatives to privacy policies. In the case of material changes to the service, entities shall provide clear and conspicuous descriptions of the changes and their impacts on USERS in advance of the change.

“Consent” alone should not be used to mitigate privacy risks created by technical architecture or design, such as to mitigate risks that individuals could not be reasonably expected to be able to assess; see PRIVACY-5 (DATA AGGREGATION RISK).

See also Requirements PRIVACY-1 (DATA MINIMIZATION) and PRIVACY-2 (PURPOSE LIMITATION) on the application of limitations to, and scope of, individual transactions and data exchanges.

See also the IDESG Usability Requirements (USABLE-1 through USABLE-7) regarding the clarity of notices given to USERS and others.

REFERENCES

Further reference materials to aid organizations interested in conforming to these Requirements can be found at the wiki page Supplemental Privacy Guidance; this has been archived at https://workspace.idesg.org/kws/public/download.php/56/Supplemental-Privacy-Guidance.docx

APPLIES TO ACTIVITIES

REGISTRATION, CREDENTIALING, AUTHENTICATION, AUTHORIZATION, INTERMEDIATION

KEYWORDS

NOTICE, POLICIES, PRIVACY



Quick Links: SALS | Baseline Functional Requirements v1.0 | Glossary |